There are financial institutions that usually feel confident about enterprise risk management. They feel they’ve identified and assessed potential risk, risk tolerance levels have been defined, and strategies are in place for mitigating risk. Yet too often their risk monitoring activities fall short.
Unfortunately, many institutions get monitoring wrong. From missing essential steps to monitoring the wrong things, poor risk monitoring can cause institutions to underestimate or overestimate risk exposure—causing them to make critical decisions based on inaccurate information.
One of the most common errors is making risk decisions based on gut and perception rather than real-world data. A good example is compliance risk.
With Dodd-Frank seemingly in the past, many casual observers of compliance may think that regulatory change management isn’t nearly as onerous as in the past. After all, when Congress isn’t passing huge new rules there shouldn’t be huge amounts to do. Right?
A look at the data proves that idea wrong.
More Proposed and Final Rules Than in 2012
There have been more proposed and final rules published by banks’ primary functional regulators (CFPB, OCC, FDIC, NCUA and FRB) in the past 365 days than there was in all of 2012.
The past 365 days (since 6/17/2018) have brought 741 proposed and final rules. There were 736 in 2012.
This tells us that even though we are past the Dodd-Frank rule implementation era, financial regulatory changes are not necessarily slowing down. Rather, we are seeing active regulators who are proposing and making changes on a daily basis.
For example, in 2019 alone, regulators have issued 365 proposed and final rules—and we’re just over six months in! That means that there have been almost two potential rule changes every single day. If this trend continues in 2019, we may see almost the same amount of changes as we saw in 2012.
If your financial institution is making strategic risk management decisions based on the assumption that the compliance department needs fewer resources, it’s making a serious mistake.
It’s not just a question of practicality for business sake. Regulators are also very interested in knowing the board has reviewed results and whether metrics mesh with corporate objectives. Transparency with them and other third parties is essential.
Make sure that your risk management metrics are keeping up with the outside world, and help your institution separate fact from perception.